Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp203085lqo; Tue, 7 May 2024 17:59:38 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUP5ElTVF9DDKDxx4t1RcbHQpHn1hgspp+RkSJXuImF6mVOz1QnjUQyieyC1Lf73WG7u1jF/CVA31uVdjIUFKO7mo6n87eiHz1rl428WA== X-Google-Smtp-Source: AGHT+IG+hQ+KSmwITMZDQDTE84jVqOi5Q/waPrig3LFub4pWnZMDo6d2ZYXAsO0YLdKluAz0X2D5 X-Received: by 2002:a05:6a20:3ca4:b0:1a7:5fbf:3774 with SMTP id adf61e73a8af0-1afc8dc86abmr1966855637.55.1715129978497; Tue, 07 May 2024 17:59:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715129978; cv=pass; d=google.com; s=arc-20160816; b=M4DBpYU/MLTzKmg/VtyRZ/tgf6ufdDAsnBjmqzki5djpyoEg4xpyBCcN7mtL5Xm8ri 3iEV/xRf8BHT0jxxedQ3LdF6aAqvs7qmHnF6Cda0Z7cAhlRSk2taa4j+2R8FkRN0P/sU ETEr49hdAp6vGZ39IgAp79JA1Aaa64fq8tX/qM/0ums9KpB9GQ7zVVdgbK5XOJxewCi6 KFOhW3xZS/dhgx21ANfAmfTSpK1zy/wzPeUmCleOt9u6ozHtGWIrwz/xDPVx+5WdDpwB IY0Mq16z0G91TNd+cMH6x/HAvWFwY+t+ZemDgZzuILw2QVTpY6eOUpHv5iC6FkD4ll+8 yLXw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:dkim-signature:date; bh=CKJj04qCaWozA5OZiCOs2YLUCi6uSucwcFVp9F+GYz0=; fh=ZbcJgOIj31NLWRSZZioNngDXdsUDhUAxt7sbcVNd43s=; b=00sQHh6czUjX3IIr9be/Vu3FYEeGCWWlpOkvV0k1oi5AzR81ErBR9q+xt5RhKv+tJc RtlyGxbU1WBr2gqsbTJ39ylny/I494zO1NggkQofwv7AfFhs7r/TdsF2uKMOlkAGTJYN HMjJT8OUzO9t7aXI+O2hxxUi4l4k5R/1Re6DtdFHTYKzGEZ/xWcz9tQ/YfzTolNgYX4f XBRg/5Tq9hyEtalYVR6H8xKFawy0nneFAKycw5MoKlfNy/JCsCosdbwf/J7nrkLaM3Ka iun6NUbeCYO8PwD/D3UzqRBx4PsoJxejTqc46xZXXMPCHJ3FKYSOrG3p7O/Yk2a1/jNS HgFA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=hYozxBpU; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-172575-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172575-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id h4-20020a170902f54400b001e9661a15bbsi12058655plf.210.2024.05.07.17.59.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 May 2024 17:59:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-172575-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=hYozxBpU; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-172575-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172575-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 0D0D2285F1D for ; Wed, 8 May 2024 00:59:34 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3A06D3D9E; Wed, 8 May 2024 00:59:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="hYozxBpU" Received: from out-183.mta0.migadu.com (out-183.mta0.migadu.com [91.218.175.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F21C621 for ; Wed, 8 May 2024 00:59:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.183 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715129965; cv=none; b=lsk8fhbkJaD/Cg+d38yu+xjPyJ3Ru0eoUzctweSzX3yUp+o7AFJT5ZpOQU53JV4iuYeGcBcKWT/WMMFsPsRNneLuLg8sj7uKDLUVRMzxiqYsPLaNqulRjJfwtfch59TGSYlqZZb/gRB0A3ldvjYvk0FfkBRjaRgrMcN0M+JrSCE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715129965; c=relaxed/simple; bh=HPKo0kjA4VMAEdS3jgdkrkVKvRNlcwe01fWxC6/gNfQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=KkeWsIJI5hkrBfExuybShANYRVEVflAHECaspfA+szTvfm0NZqLH5pslanZE7drjuoehbgvjlWGG7tqk3P162fnFTsHHKADp3eTa2NaSqmVWBHVU3dz7ju+QdVBMCGvzCsnQUo5J/c95gG2zLa228arv32riEJxOUSn4PfHq4Fw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=hYozxBpU; arc=none smtp.client-ip=91.218.175.183 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Date: Tue, 7 May 2024 20:59:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1715129960; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=CKJj04qCaWozA5OZiCOs2YLUCi6uSucwcFVp9F+GYz0=; b=hYozxBpUi13Ihp6MHSC3zJItNcCVYBGiy5gWX8Cs0A6y+Himp+jshK97g07kCOl3TFq88i Zt4sN7Z/Mdhg79dg+hAEgGzsQHKwbgZ8KNdJh1Vy9rVJwc1MZRjoKopdTONURw2+FmmZKI m2QLFJSDTFZEtSm+HF1ArKHYMD8FvDs= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Kent Overstreet To: Edward Adam Davis Cc: bfoster@redhat.com, linux-bcachefs@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+c48865e11e7e893ec4ab@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Subject: Re: [PATCH] bcachefs: fix oob in bch2_sb_clean_to_text Message-ID: <7chwa5h2y2eotafxfnapxn754n7y3zpze2sm5dif3zyx7hkxcc@2zu6pskc7fbo> References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Migadu-Flow: FLOW_OUT On Wed, May 08, 2024 at 08:49:39AM +0800, Edward Adam Davis wrote: > On Tue, 7 May 2024 10:14:22 -0400, Kent Overstreet wrote: > > > When got too small clean field, entry will never equal vstruct_end(&clean->field), > > > the dead loop resulted in out of bounds access. > > > > > > Fixes: 12bf93a429c9 ("bcachefs: Add .to_text() methods for all superblock sections") > > > Fixes: a37ad1a3aba9 ("bcachefs: sb-clean.c") > > > Reported-and-tested-by: syzbot+c48865e11e7e893ec4ab@syzkaller.appspotmail.com > > > Signed-off-by: Edward Adam Davis > > > > I've already got a patch up for this - the validation was missing as > > well. > > > > commit f39055220f6f98a180e3503fe05bbf9921c425c8 > > Author: Kent Overstreet > > Date: Sun May 5 22:28:00 2024 -0400 > > > > bcachefs: Add missing validation for superblock section clean > > > > We were forgetting to check for jset entries that overrun the end of the > > section - both in validate and to_text(); to_text() needs to be safe for > > types that fail to validate. > > > > Reported-by: syzbot+c48865e11e7e893ec4ab@syzkaller.appspotmail.com > > Signed-off-by: Kent Overstreet > > > > diff --git a/fs/bcachefs/sb-clean.c b/fs/bcachefs/sb-clean.c > > index 35ca3f138de6..194e55b11137 100644 > > --- a/fs/bcachefs/sb-clean.c > > +++ b/fs/bcachefs/sb-clean.c > > @@ -278,6 +278,17 @@ static int bch2_sb_clean_validate(struct bch_sb *sb, > > return -BCH_ERR_invalid_sb_clean; > > } > > > > + for (struct jset_entry *entry = clean->start; > > + entry != vstruct_end(&clean->field); > > + entry = vstruct_next(entry)) { > > + if ((void *) vstruct_next(entry) > vstruct_end(&clean->field)) { > > + prt_str(err, "entry type "); > > + bch2_prt_jset_entry_type(err, le16_to_cpu(entry->type)); > > + prt_str(err, " overruns end of section"); > > + return -BCH_ERR_invalid_sb_clean; > > + } > > + } > > + > The original judgment here is sufficient, there is no need to add this section of inspection. No, we need to be able to print things that failed to validate so that we see what went wrong.